post-review changes

Author: Alex-Welsh

doc/source/configuration/firewall.rst

@@ -19,19 +19,23 @@ follows:
 .. code-block:: yaml
    :caption: ``etc/kayobe/controllers.yml``
 
-   controller_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+   controller_firewalld_enabled: true
    controller_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+   controller_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+   # Predefined zones are listed here:
+   # https://firewalld.org/documentation/zone/predefined-zones.html
+   # Unset to leave the default zone unchanged
+   controller_firewalld_default_zone: drop
 
 This will configure the standard set of firewalld rules on controller hosts.
-Rule definitions are automatically added according to group membership.Rule
+Rule definitions are automatically added according to group membership. Rule
 sets exist for the following groups:
 
 * Controllers - ``stackhpc_controller_firewalld_rules``
 * Compute - ``stackhpc_compute_firewalld_rules``
 * Storage - ``stackhpc_storage_firewalld_rules``
 * Monitoring - ``stackhpc_monitoring_firewalld_rules``
-* Wazuh Manager Infrastructure VM - ``stackhpc_infra_vm_firewalld_rules``
-* Ansible Control host Infrastructure VM - ``stackhpc_infra_vm_firewalld_rules``
+* Wazuh Manager Infrastructure VM - ``stackhpc_wazuh_manager_infra_vm_firewalld_rules``
+* Ansible Control host Infrastructure VM - ``stackhpc_ansible_control_infra_vm_firewalld_rules``
 * Seed - ``stackhpc_seed_firewalld_rules``
 * Seed Hypervisor - ``stackhpc_seed_hypervisor_firewalld_rules``
-

etc/kayobe/inventory/group_vars/all/firewall

@@ -6,7 +6,7 @@
 stackhpc_firewalld_zones: |
   {% set network_zones = [] %}
   {% for network in network_interfaces %}
-  {% if network | net_zone is not none %}
+  {% if network | net_zone %}
   {% set _ = network_zones.append({'zone': network | net_zone }) %}
   {% endif %}
   {% endfor %}
@@ -18,14 +18,14 @@ stackhpc_firewalld_rules: |
       (stackhpc_storage_firewalld_rules if 'storage' in group_names else []) +
       (stackhpc_monitoring_firewalld_rules if 'monitoring' in group_names else []) +
       (stackhpc_seed_firewalld_rules if 'seed' in group_names else []) +
-      (stackhpc_seed_hypervisor_firewalld_rules if 'seed_hypervisor' in group_names else []) +
-      (stackhpc_wazuh_manager_infra_vm_firewalld_rules if 'wazuh_manager' in group_names else []) +
-      (stackhpc_ansible_control_infra_vm_firewalld_rules if 'ansible_control' in group_names else []) }}
+      (stackhpc_seed_hypervisor_firewalld_rules if 'seed-hypervisor' in group_names else []) +
+      (stackhpc_wazuh_manager_infra_vm_firewalld_rules if 'wazuh-manager' in group_names else []) +
+      (stackhpc_ansible_control_infra_vm_firewalld_rules if 'ansible-control' in group_names else []) }}
 
 ###############################################################################
 # Controller firewalld rules
 
-stackhpc_controller_firewalld_rules: |
+stackhpc_controller_firewalld_rules: >-
   {{ stackhpc_controller_firewalld_rules_default |
     selectattr('enabled', 'true') |
     map(attribute='rules') |
@@ -34,7 +34,7 @@ stackhpc_controller_firewalld_rules: |
     selectattr('zone') |
     union(stackhpc_controller_firewalld_rules_extra) |
     unique |
-    select}}
+    select }}
 
 stackhpc_controller_firewalld_rules_default:
   # Common
@@ -123,7 +123,7 @@ stackhpc_controller_firewalld_rules_extra: []
 ###############################################################################
 # Compute firewalld rules
 
-stackhpc_compute_firewalld_rules: |
+stackhpc_compute_firewalld_rules: >-
   {{ stackhpc_compute_firewalld_rules_default |
     selectattr('enabled', 'true') |
     map(attribute='rules') |
@@ -132,7 +132,7 @@ stackhpc_compute_firewalld_rules: |
     selectattr('zone') |
     union(stackhpc_compute_firewalld_rules_extra) |
     unique |
-    select}}
+    select }}
 
 stackhpc_compute_firewalld_rules_default:
   # Common
@@ -170,7 +170,7 @@ stackhpc_compute_firewalld_rules_extra: []
 ###############################################################################
 # Storage firewalld rules
 
-stackhpc_storage_firewalld_rules: |
+stackhpc_storage_firewalld_rules: >-
   {{ stackhpc_storage_firewalld_rules_default |
     selectattr('enabled', 'true') |
     map(attribute='rules') |
@@ -179,7 +179,7 @@ stackhpc_storage_firewalld_rules: |
     selectattr('zone') |
     union(stackhpc_storage_firewalld_rules_extra) |
     unique |
-    select}}
+    select }}
 
 stackhpc_storage_firewalld_rules_default:
   # Common
@@ -214,7 +214,7 @@ stackhpc_storage_firewalld_extra: []
 ###############################################################################
 # Monitoring firewalld rules
 
-stackhpc_monitoring_firewalld_rules: |
+stackhpc_monitoring_firewalld_rules: >-
   {{ stackhpc_monitoring_firewalld_rules_default |
     selectattr('enabled', 'true') |
     map(attribute='rules') |
@@ -223,7 +223,7 @@ stackhpc_monitoring_firewalld_rules: |
     selectattr('zone') |
     union(stackhpc_monitoring_firewalld_rules_extra) |
     unique |
-    select}}
+    select }}
 
 stackhpc_monitoring_firewalld_rules_default:
   - rules:
@@ -238,7 +238,7 @@ stackhpc_monitoring_firewalld_rules_extra: []
 ###############################################################################
 # Infra VM firewalld rules (Wazuh Manager)
 
-stackhpc_wazuh_manager_infra_vm_firewalld_rules: |
+stackhpc_wazuh_manager_infra_vm_firewalld_rules: >-
   {{ stackhpc_wazuh_manager_infra_vm_firewalld_rules_default |
     selectattr('enabled', 'true') |
     map(attribute='rules') |
@@ -247,18 +247,14 @@ stackhpc_wazuh_manager_infra_vm_firewalld_rules: |
     selectattr('zone') |
     union(stackhpc_wazuh_manager_infra_vm_firewalld_rules_extra) |
     unique |
-    select}}
+    select }}
 
 stackhpc_wazuh_manager_infra_vm_firewalld_rules_default:
   - rules:
       - service: ssh
         zone: "{{ provision_oc_net_name | net_zone }}"
         network: "{{ provision_oc_net_name }}"
         state: enabled
-      - service: ssh
-        zone: "{{ switch_mgmt_net_name | net_zone }}"
-        network: "{{ switch_mgmt_net_name }}"
-        state: enabled
       - port: 1514/tcp
         zone: "{{ provision_oc_net_name | net_zone }}"
         network: "{{ provision_oc_net_name }}"
@@ -294,7 +290,7 @@ stackhpc_wazuh_manager_infra_vm_firewalld_rules_extra: []
 ###############################################################################
 # Infra VM firewalld rules (Ansible Control)
 
-stackhpc_ansible_control_infra_vm_firewalld_rules: |
+stackhpc_ansible_control_infra_vm_firewalld_rules: >-
   {{ stackhpc_ansible_control_infra_vm_firewalld_rules_default |
     selectattr('enabled', 'true') |
     map(attribute='rules') |
@@ -303,18 +299,14 @@ stackhpc_ansible_control_infra_vm_firewalld_rules: |
     selectattr('zone') |
     union(stackhpc_ansible_control_infra_vm_firewalld_rules_extra) |
     unique |
-    select}}
+    select }}
 
 stackhpc_ansible_control_infra_vm_firewalld_rules_default:
   - rules:
     - service: ssh
       zone: "{{ provision_oc_net_name | net_zone }}"
       network: "{{ provision_oc_net_name }}"
       state: enabled
-    - service: ssh
-      zone: "{{ switch_mgmt_net_name | net_zone }}"
-      network: "{{ switch_mgmt_net_name }}"
-      state: enabled
     enabled: true
 
 stackhpc_ansible_control_infra_vm_firewalld_rules_extra: []
@@ -324,7 +316,7 @@ stackhpc_ansible_control_infra_vm_firewalld_rules_extra: []
 
 
 stackhpc_seed_firewalld_rules: []
-# stackhpc_seed_firewalld_rules: |
+# stackhpc_seed_firewalld_rules: >-
 #   {{ stackhpc_seed_firewalld_rules_default |
 #     selectattr('enabled', 'true') |
 #     map(attribute='rules') |
@@ -333,7 +325,7 @@ stackhpc_seed_firewalld_rules: []
 #     selectattr('zone') |
 #     union(stackhpc_seed_firewalld_rules_extra) |
 #     unique |
-#     select}}
+#     select }}
 
 # TODO: do
 stackhpc_seed_firewalld_rules_default: []
@@ -346,7 +338,7 @@ stackhpc_seed_firewalld_rules_extra: []
 ###############################################################################
 # Seed Hypervisor firewalld rules
 
-stackhpc_seed_hypervisor_firewalld_rules: |
+stackhpc_seed_hypervisor_firewalld_rules: >-
   {{ stackhpc_seed_hypervisor_firewalld_rules_default |
     selectattr('enabled', 'true') |
     map(attribute='rules') |
@@ -355,7 +347,7 @@ stackhpc_seed_hypervisor_firewalld_rules: |
     selectattr('zone') |
     union(stackhpc_seed_hypervisor_firewalld_rules_extra) |
     unique |
-    select}}
+    select }}
 
 # TODO: Check
 stackhpc_seed_hypervisor_firewalld_rules_default:

etc/kayobe/networks.yml

@@ -62,9 +62,6 @@
 # Name of the network used to manage octavia loadbalancers
 octavia_net_name: ""
 
-# Name of the network used to manage network switches
-switch_mgmt_net_name: ""
-
 ###############################################################################
 # Network definitions.
 

releasenotes/notes/automated-firewalld-a95e7322fd457259.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    A default firewall configuration is now included on an opt-in basis. The
+    rules are defined under ``etc/kayobe/inventory/group_vars/all/firewall``.
+    More information can be found `here
+    <https://stackhpc-kayobe-config.readthedocs.io/en/stackhpc-2023.1/configuration/firewall.html>`__